Main menu

How Weak Mobile Health App Privacy, Security Affects Patients

June 19, 2017 - Mobile users are increasingly utilizing their devices for healthcare needs, whether it is through fitness trackers or even for communicating with providers. However, inadequate mobile health app privacy or policies that are difficult to understand could lead to patient data privacy concerns.

Researchers reviewed 125 iPhone apps that matched to the search terms of “medical + dementia” or “health & fitness + dementia.” Of those apps, 33 had available privacy policies.

Furthermore, 70 percent described safeguards on data, and approximately three-quarters differentiated between protections for individual versus aggregate data.

“At present, most dementia apps lack privacy policies, and those that do exist lack clarity,” researchers explained. “Bolstering safeguards and improving communication about privacy protections will help facilitate consumer trust in apps, thereby enabling greater use by adults with dementia and their caregivers.”

Eighty-one percent of the sample apps did not have a privacy policy. Of the apps that did have a privacy policy, not all of the provisions actually protected privacy. For example, the majority would collect user data and approximately half shared the data.

Thirty-one of the 41 apps without privacy policies shared user information. However, this was not statistically significant as 19 of the 24 apps with privacy policies also shared user data.

“This study demonstrated that diabetes apps shared information with third parties, posing privacy risks because there are no federal legal protections against the sale or disclosure of data from medical apps to third parties,” researchers explained.

“Patients might mistakenly believe that health information entered into an app is private (particularly if the app has a privacy policy), but that generally is not the case,” the team continued. “Medical professionals should consider privacy implications prior to encouraging patients to use health apps.”

Previous studies have also shown that mobile health privacy apps might have existing privacy policies, but they are not easy to find. This could lead to individuals allowing more access to their health data than they actually want.

Sixty-one percent of top health and fitness apps linked to the privacy policy from the app platform listing page, 10 percent lower than overall top apps.

“Even though a privacy policy is not the be all and end all for building consumer trust, there is no excuse for failing to provide one – doing so is the baseline standard,” FPF’s Vice President of Policy John Verdi said in a statement. “App platforms have made it easier for developers to provide access to privacy policies. Consumers expect direct access to privacy policies, and users can review them before downloading an app.”

Researchers also noted that health and fitness apps typically have access to sensitive, physiological data collected by sensors on a mobile phone, wearable, or other device.

“While most apps do provide consumers with the most basic notices about how their personal data will be collected, used, and shared, it’s also clear that a significant number do not,” report authors stated. “Although a privacy policy is only a starting point for protecting individuals’ privacy, it is an important baseline standard all around the world.”

Federal agencies are also aware that security and privacy policies do not always keep pace with evolving technology.

The ONC Privacy Snapshot Challenge aimed to help consumers better understand a specific product’s privacy and security policies. ONC urged developers, designers, health data privacy experts, and any other innovators to use content from the MPN template - PDF to create the tool for individuals.

“The MPN and Challenge reflect ONC’s overall efforts to address the rapid pace of change regarding wearables and other types of health information technology,” ONC stated in its first call for action. “As ONC outlined in a July 2016 report to Congress, Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA - PDF, many new businesses use consumer-facing technology to collect, handle, analyze, and share health information about individuals – sometimes without those individuals’ knowledge.”